CVE-2026-44216: wasmtime has a panic when allocating a table exceeding the size of the host's address space

Wasmtime’s allocation logic for a WebAssembly table contained checked arithmetic which panicked on overflow. This overflow is possible to trigger, and thus panic, when a table with an extremely large size is allocated. This is possible with the WebAssembly memory64 proposal where tables can have sizes in the 64-bit range as opposed to the previous 32-bit range which would not overflow. The panic happens when attempting to create a very large table, such as when instantiating a WebAssembly module or component.

This bug does not affect the pooling allocator which limits tables sizes to much less than the required amount to trigger the overflow. This bug is only present for the on-demand instance allocator, which is Wasmtime’s default allocator. This bug also requires the memory64 WebAssembly feature to be enabled, which is on-by-default.

Panicking in the host process is considered a denial-of-service vector for Wasmtime.